File name:	_24d4f12d88d5d787dffe22d0fb215e00e5f23ae9c9e6702d7aa4da518f93a2f1.sh
Full analysis:	https://app.any.run/tasks/12b7c0b6-6e77-4897-a28c-62d87e22557e
Verdict:	Malicious activity
Threats:	A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. Mirai is a self-propagating malware that scans the internet for vulnerable IoT devices and infects them to create a botnet. Mirai variants utilize lists of common default credentials to gain access to devices. Mirai's primary use is for launching distributed denial-of-service (DDoS) attacks, but it has also been used for cryptocurrency mining. Malware Trends Tracker >>>
Analysis date:	February 28, 2026, 19:29:34
OS:	Ubuntu 22.04.2
Tags:	mirai botnet
Indicators:
MIME:	text/x-shellscript
File info:	Bourne-Again shell script, ASCII text executable
MD5:	F716829048AF27364B3D44E85C351388
SHA1:	8649E9F2FA0D1D5E1FCB643665CB0813BD29042D
SHA256:	24D4F12D88D5D787DFFE22D0FB215E00E5F23AE9C9E6702D7AA4DA518F93A2F1
SSDEEP:	48:vMUlUIblUIUMEUcUhUHUSUbUyU2UXUzUBn:vMUlUmUIUMEUcUhUHUSUbUyU2UXUzUBn

PID	Process	Filename		Type
1986	wget	/tmp/MMaaRRiiOisecTanee.x86		binary
		MD5:—	SHA256:—
1987	curl	/tmp/MMaaRRiiOisecTanee.x86		binary
		MD5:—	SHA256:—
1991	cat	/tmp/lovers		binary
		MD5:—	SHA256:—
1998	wget	/tmp/MMaaRRiiOisecTanee.mips		binary
		MD5:—	SHA256:—
2004	curl	/tmp/MMaaRRiiOisecTanee.mips		binary
		MD5:—	SHA256:—
2018	wget	/tmp/MMaaRRiiOisecTanee.mpsl		binary
		MD5:—	SHA256:—
2022	curl	/tmp/MMaaRRiiOisecTanee.mpsl		binary
		MD5:—	SHA256:—
2033	wget	/tmp/MMaaRRiiOisecTanee.arm		binary
		MD5:—	SHA256:—
2034	curl	/tmp/MMaaRRiiOisecTanee.arm		binary
		MD5:—	SHA256:—
2041	wget	/tmp/MMaaRRiiOisecTanee.arm5		binary
		MD5:—	SHA256:—

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	POST	200	185.125.188.57:443	https://api.snapcraft.io/api/v1/snaps/auth/nonces	GB	—	53 b	—
—	—	POST	200	185.125.188.58:443	https://api.snapcraft.io/api/v1/snaps/auth/sessions	GB	—	—	unknown
—	—	POST	200	185.125.188.54:443	https://api.snapcraft.io/v2/snaps/refresh	GB	text	39.3 Kb	unknown
—	—	GET	204	185.125.190.97:80	http://connectivity-check.ubuntu.com/	GB	—	—	unknown
—	—	POST	200	185.125.188.59:443	https://api.snapcraft.io/v2/snaps/refresh	GB	—	39.3 Kb	unknown
—	—	GET	—	185.125.190.17:80	http://connectivity-check.ubuntu.com/	GB	—	—	unknown
—	—	GET	—	185.125.190.97:80	http://connectivity-check.ubuntu.com/	GB	—	—	unknown
—	—	POST	—	185.125.188.54:443	https://api.snapcraft.io/v2/snaps/refresh	GB	—	—	unknown
2004	curl	GET	200	103.68.109.50:80	http://103.68.109.50/m4ng0d33w1771nnmnlove/MMaaRRiiOisecTanee.mips	AU	binary	110 Kb	unknown
2018	wget	GET	200	103.68.109.50:80	http://103.68.109.50/m4ng0d33w1771nnmnlove/MMaaRRiiOisecTanee.mpsl	AU	binary	114 Kb	unknown

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	79.127.216.204:443	odrs.gnome.org	CDN77 _	GB	whitelisted
456	avahi-daemon	224.0.0.251:5353	—	—	—	whitelisted
—	—	185.125.190.17:80	connectivity-check.ubuntu.com	CANONICAL-AS	GB	whitelisted
—	—	185.125.190.97:80	connectivity-check.ubuntu.com	CANONICAL-AS	GB	whitelisted
—	—	79.127.211.89:443	odrs.gnome.org	CDN77 _	GB	whitelisted
—	—	185.125.188.58:443	api.snapcraft.io	CANONICAL-AS	GB	whitelisted
—	—	185.125.188.54:443	api.snapcraft.io	CANONICAL-AS	GB	whitelisted
1986	wget	103.68.109.50:80	cnc.mu-minhvuong.com	HOST-AS-AP Host Universal Pty Ltd	AU	unknown
1987	curl	103.68.109.50:80	cnc.mu-minhvuong.com	HOST-AS-AP Host Universal Pty Ltd	AU	unknown
416	systemd-timesyncd	185.125.190.56:123	ntp.ubuntu.com	CANONICAL-AS	GB	whitelisted

Domain	IP	Reputation
odrs.gnome.org	79.127.216.204 37.19.194.81 195.181.170.19 212.102.56.179 79.127.211.89 195.181.175.40 2a02:6ea0:c700::19 2a02:6ea0:c77a::48 2a02:6ea0:c700::21 2a02:6ea0:c700::101 2a02:6ea0:c77a::47 2a02:6ea0:c700::11	whitelisted
connectivity-check.ubuntu.com	2620:2d:4002:1::198 2620:2d:4000:1::22 2620:2d:4000:1::96 2620:2d:4000:1::23 2620:2d:4002:1::196 2001:67c:1562::24 2620:2d:4000:1::98 2620:2d:4000:1::2a 2620:2d:4000:1::97 2620:2d:4002:1::197 2001:67c:1562::23 2620:2d:4000:1::2b 185.125.190.97 185.125.190.48 91.189.91.49 91.189.91.96 91.189.91.98 185.125.190.17 185.125.190.96 185.125.190.49 185.125.190.98 91.189.91.97 91.189.91.48 185.125.190.18	whitelisted
api.snapcraft.io	185.125.188.58 185.125.188.57 185.125.188.54 185.125.188.59 2620:2d:4000:1010::2cc 2620:2d:4000:1010::117 2620:2d:4000:1010::42 2620:2d:4000:1010::2d6	whitelisted
google.com	142.251.127.138 142.251.127.139 142.251.127.113 142.251.127.102 142.251.127.101 142.251.127.100 2a00:1450:4001:81d::200e	whitelisted
13.100.168.192.in-addr.arpa	—	whitelisted
cnc.mu-minhvuong.com	103.68.109.50	malicious
ntp.ubuntu.com	185.125.190.58 185.125.190.57 91.189.91.157 185.125.190.56 2620:2d:4000:1::41 2620:2d:4000:1::3f 2620:2d:4000:1::40	whitelisted

PID	Process	Class	Message
1986	wget	Potentially Bad Traffic	ET INFO x86 File Download Request from IP Address
1986	wget	Potentially Bad Traffic	ET HUNTING Suspicious GET Request for .x86
1986	wget	A Network Trojan was detected	BOTNET [ANY.RUN] Linux/Mirai ELF-file download via wget (x86)
1986	wget	Potential Corporate Privacy Violation	ET INFO Executable and linking format (ELF) file download Over HTTP
1987	curl	Potentially Bad Traffic	ET INFO x86 File Download Request from IP Address
1987	curl	Potentially Bad Traffic	ET HUNTING Suspicious GET Request for .x86
1987	curl	Potentially Bad Traffic	ET HUNTING curl User-Agent to Dotted Quad
1987	curl	Potential Corporate Privacy Violation	ET INFO Executable and linking format (ELF) file download Over HTTP
1998	wget	A Network Trojan was detected	AV INFO Possible Mirai .mips Executable Download
1998	wget	Potentially Bad Traffic	ET INFO MIPS File Download Request from IP Address

General Info

_24d4f12d88d5d787dffe22d0fb215e00e5f23ae9c9e6702d7aa4da518f93a2f1.sh

F716829048AF27364B3D44E85C351388

8649E9F2FA0D1D5E1FCB643665CB0813BD29042D

24D4F12D88D5D787DFFE22D0FB215E00E5F23AE9C9E6702D7AA4DA518F93A2F1

48:vMUlUIblUIUMEUcUhUHUSUbUyU2UXUzUBn:vMUlUmUIUMEUcUhUHUSUbUyU2UXUzUBn

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

MIRAI has been detected (SURICATA)

SUSPICIOUS

Modifies file or directory owner

Potential Corporate Privacy Violation

Reads passwd file

Uses wget to download content

Uses curl to download content

INFO

Creates file in the temporary folder

Checks timezone

Malware configuration

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings